SIM hijacking is a very real danger to a phone-dependent community
The Department of Justice last week charged nine individuals with stealing cryptocurrency through identity theft. The individuals, who called themselves “The Community,” stole $2.4 million worth of crypto over the course of seven individual attacks.
Six members of The Community were listed in an indictment unsealed by the department last week, while criminal charges have been brought against the remaining three. With the exception of a single Dublin resident, the alleged criminals are spread out across the United States.
The Community used SIM hijacking — a technique in which hackers take control of a victim’s identity by porting their phone number to a new SIM card. On the surface this sort of attack seems relatively innocuous, until you consider that just about all of our most important information lives on our phones these days. The indicted individuals then used the phone numbers to access the victim’s email, cloud storage and cryptocurrency exchange accounts by changing online passwords or bypassing security measures like two-factor authentication codes, which require the entry of two passwords to access a service.
U.S. Attorney Matthew Schneider reminded users about the increasing importance of mobile phones as a tool for identification. “This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it,” he stated.
In a nod to the complex nature of a case involving cryptocurrency and identity theft, Angie Salazar, acting special agent with the Homeland Security Investigation (HSI) in Detroit, noted that criminal groups are increasingly turning to web-based schemes to conduct illicit activities. She also stated that HSI has “developed capabilities to meet these threats head on.”
SIM Hijacking Explained
Simply put, SIM hijacking is theft of personal identity by hijacking a victim’s SIM card. The process, as described in the DoJ press release and various media reports, involves a mix of impersonation and online sleuthing.
This is far from the first collision between the crypto and identity theft worlds. In February, Joel Ortiz, a 20-year-old Boston resident, became the first hacker to be convicted of SIM hijacking. He is now serving ten years for the January 2018 theft of $5 million worth of cryptocurrency. Manhattan resident Nicholas Truglia was arrested in November of 2018 for stealing $23 million from a well-known cryptocurrency investor through a SIM swap.
VR company founder Cody Brown also lost Bitcoin worth $8,000 in 15 minutes from his Coinbase account in 2017, thanks to a SIM hijacker. Such threats have been on the rise. Telecom carrier T-Mobile warned customers about them in a mass text message last year.
The first step in a hijack is porting SIM cards. Criminals request a transfer of the victim’s phone number to a new SIM card by impersonating them in calls to mobile service providers. Relevant personal details about the victim, such as their date of birth and last four digits of their social security number, which are used to verify their identity, are then sourced from data marketplaces on the dark web or basic Google searches. In the case of The Community, two members worked as contractors with AT&T, and another was a former Verizon employee.
Because only one SIM card can be connected to a phone number, the victim loses control of their phone once it is ported to a new card. This means that calls made to a victim’s phone number will ring on the perpetrator’s phone with the new SIM card. Text verification codes for online services will also be received there. From here, it’s child’s play for criminals to access the victim’s online accounts. Most online services now use phone numbers as one of the steps in a two-part authentication process.
Twitter and Instagram are among those platforms requiring your mobile phone number to verify identity and provide access to locked accounts. Coinbase, the largest crypto exchange in North America, requires users to register with the same phone number on the Authy app while registering a new device.
In previous cases, prosecutors used the IMEI (International Mobile Equipment Identity) number and data from telecom and tech companies in order to identify criminals. Investigating these crimes has become a group effort. In one case, AT&T provided call detail records pertaining to IMEI numbers, and Apple provided data relating to the accounts linked to that same IMEI number.
The Good News: You Can Protect Yourself
Because password authentication methods are generally determined by the online service or telecom carriers, users have limited control over them. Four mobile carriers (Sprint, Verizon, AT&T and T-Mobile) joined together last year to form the Mobile Authentication Task Force to reduce risks. But details remain vague. In the meantime, users can take steps of their own to safeguard against SIM hijacking.
The first is to set up an access password for your phone. The more unusual or difficult the access password, the more difficult it will be for a hacker to access a phone’s contents. While it already has biometric identification, Coinbase also offers users the option of additional security measures, such as setting another password for access, or requiring multiple email accounts to confirm an action.
As always, consumers should be alert to unusual or suspicious activity in their online accounts. Several services send alerts to users when they detect unusual activity. Gmail, for one, sends out an alert every time an email account is accessed from a different browser or location. It may be an annoying encumbrance, but the added security measures are nothing compared to the havoc a SIM hijacker can wreak on a person’s life. Consumers can do their part by reporting any unusual activity to the host platform.